Details
-
Type:
Improvement
-
Status: In Review
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.10.0-b2
-
Fix Version/s: 5.12.0-b1
-
Component/s: None
-
Labels:None
Description
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server.
We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6.
Here is the RFC https://datatracker.ietf.org/doc/html/rfc7239
Note that IPs may contain ports and other data, examples:
Forwarded: for="_gazonk"
Forwarded: For="[2001:db8:cafe::17]:4711"
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
Forwarded: for=192.0.2.43, for=198.51.100.17
Activity
Paul Phillips
created issue -
Paul Phillips
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Description |
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server. We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6. |
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server. We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6. Here is the RFC https://datatracker.ietf.org/doc/html/rfc7239 Note that IPs may contain ports and other data, examples: Forwarded: for="_gazonk" Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17 |
| Rank | Ranked higher |
| Story Points | 3 |
| Sprint | 5.11.0 Sprint 5 [ 204 ] |
| Rank | Ranked higher |
Paul Phillips
made changes -
| Fix Version/s | 5.12.0-b1 [ 12000 ] | |
| Fix Version/s | 5.11.0-b1 [ 11908 ] |
Paul Phillips
made changes -
| Sprint | 5.11.0 Sprint 5 [ 204 ] |
Paul Phillips
made changes -
| Rank | Ranked higher |
| Sprint | 5.12.0 Sprint 4 [ 214 ] |
| Rank | Ranked higher |
| Assignee | Abdy Franco [ abdy ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Remaining Estimate | 0 minutes [ 0 ] | |
| Time Spent | 3 hours, 45 minutes [ 13500 ] | |
| Worklog Id | 17686 [ 17686 ] |
| Status | In Progress [ 3 ] | In Review [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Time Spent | 3 hours, 45 minutes [ 13500 ] | 5 hours, 11 minutes [ 18660 ] |
| Worklog Id | 17710 [ 17710 ] |
| Time Spent | 5 hours, 11 minutes [ 18660 ] | 6 hours, 38 minutes [ 23880 ] |
| Worklog Id | 17716 [ 17716 ] |
| Time Spent | 6 hours, 38 minutes [ 23880 ] | 1 day, 5 hours, 21 minutes [ 48060 ] |
| Worklog Id | 17729 [ 17729 ] |
| Sprint | 5.12.0 Sprint 4 [ 214 ] | 5.12.0 Sprint 4, 5.12.0 Sprint 5 [ 214, 215 ] |
| Rank | Ranked higher |
Possible solution suggested at https://www.blesta.com/forums/index.php?/topic/33535-handle-http_x_forwarded_for-header-chaining/ though it may fall short of the RFC.